Social Engineering

Improve employee cyber awareness with a simulated social engineering attack

Psychological manipulation is a common approach used by criminals to trick people into performing adverse actions and/or divulging confidential information. By creating emails and web pages that imitate those of known organisations and contacts, fraudsters aim to trick individuals into clicking dangerous links, opening malicious attachments, and sharing personal details.

Redscan’s Social Engineering services are designed to thoroughly assess the ability of your organisation’s systems and personnel to detect and respond to targeted email phishing attacks. By mirroring the tactics, techniques and procedures used by genuine adversaries, our range of tailored assessments help to test defences, identify potential data leaks, highlight weaknesses in human behaviour, and improve employee cyber awareness.

Key benefits of our social engineering testing service

Understand how susceptible your employees are to falling foul of social engineering attacks.

Understand your digital footprint

Gain visibility of the information that an attacker could gather about your business from intelligence freely available in the public domain.

Challenge defences

Challenge your organisation’s cyber security controls, such as firewall rules, to ensure they are effective at identifying and blocking social engineering attacks.

Raise cyber awareness

Improve employee cyber security awareness by using a simulated social engineering attack to highlight good and bad practices.

Improve security training

Use the results of a simulated social engineering assessment to help develop an effective security awareness training programme.

Our phishing services

Phishing-as-a-service

Phishing is one of the most common attack vectors used by cybercriminals. By creating emails that imitate those of trusted individuals and organisations, fraudsters seek to lure users into clicking links or attachments that install keystroke logging malware, or divulge personal information such as passwords.

Redscan's phishing simulation service assesses your employee’s awareness of phishing email scams. A phishing test can be conducted as a standalone exercise or as part of a Red Team Operation designed to comprehensively measure threat detection and response capabilities.

Spear phishing-as-a-service

Spear phishing is a highly targeted phishing attack designed to compromise a specific individual, usually a system administrator or high authority individual. Redscan’s spear phishing service tests the susceptibility of an agreed target to reveal confidential information.

Business Email Compromise

A Business Email Compromise (BEC) is a type of phishing attack involving the impersonation of a senior executive. Its aim is to trick an employee, customer or vendor into wiring payment for goods or services to an alternate bank account.

Redscan’s social engineering service can be used to simulate a Business Email Compromise attack, and test awareness of other fraudulent practices such as mandate fraud and distribution fraud.

Social engineering penetration testing

Social engineering is an attack vector commonly used by Redscan’s Crest certified ethical hackers as part of a wider cyber security assessment. Learn more about our complimentary range of cyber security testing services.

Approach to social engineering tests

Redscan’s approach to social engineering mirrors the latest tactics, techniques and procedures (TTPs) used by fraudsters. A typical anti-phishing assessment involves:

Reconnaissance

By using open-source intelligence gathering techniques (OSINT), our team of ethical hackers seek to identify valuable company and employee information that could be used to improve the success of the intended simulated social engineering assessment.

Mobilisation

Using all aggregated intelligence and their knowledge of the latest TTPs, our experts carefully prepare your phishing test to ensure that it is as authentic as possible and stands the best chance of achieving a pre-agreed objective.

Execution

We execute the phishing test and, if part of the scope of the assessment, spoof any compromised users in order to escalate network privileges and make fraudulent requests, such as those common in distribution fraud and BEC attacks.

Reporting and debrief

Upon completion of the social engineering operation, we document its results and provide recommendations to help address any identified risks and improve security awareness training programmes.

Phishing test methodologies

Redscan’s social engineering services can be aligned to both black box and white box testing methods.

Black-box

Under a black box social engineering simulation, Redscan’s ethical hackers have no prior knowledge of your organisation’s environment. Reconnaissance is conducted to identify intelligence about employees and security controls in place.

White-box

A white box approach is used in instances where phishing testing targets specific employees using pre-supplied email addresses.

Frequently asked questions

What is social engineering?

Social engineering is one of the most common attack vectors used by cybercriminals to compromise organisations’ cyber security. The term describes the use of psychological manipulation as a means of tricking users into divulging sensitive information and/or performing actions, such as clicking links or opening malicious attachments.

What is phishing?

Phishing is a form of social engineering involving the large-scale dissemination of emails and other electronic communications in an attempt to lure users into revealing sensitive information such as account names, passwords and credit card details.

Why is phishing commonly used by hackers?

Users are often the weakest link in the security chain. Phishing enables criminals to harvest user credentials and payment card information en masse. The wide availability of phishing tools on the internet enables even less skilled individuals to launch attacks.

How can businesses prevent phishing attacks?

To defend against phishing attacks, organisations need suitable controls and processes in place to block, detect and respond to evolving attack vectors. Employee education, robust perimeter security, user management, email authentication and SIEM are just some of the things that could be used to help achieve effective phishing attack prevention.

What is anti-phishing?

Anti-phishing is a collective term used to describe the tools and services available to help organisations identify and prevent phishing attacks.

What is baiting?

In the context of social engineering, baiting is used by criminals to trick users into disclosing personal information, such as account credentials for services such as online banking and parcel delivery. Hackers will go to great lengths to spoof well-known companies and use fake offers, service updates and security alerts to fool as many recipients as possible.

Examples of successful social engineering attacks

In March 2018, Italian football club Lazio lost €2m after wiring a player transfer fee into a fraudster’s bank account.

Dublin Zoo was hit by a BEC Scam in 2017, reportedly leading to the loss of €500,000

MacEwan University in Canada lost $9.5m after staff failed to identify an online phishing scam

We use cookies for security, to optimise your browsing experience and anonymously analyse site traffic.Accepting necessary cookies is required to provide you with a minimum level of service. Learn more